mirror of
https://github.com/scm-manager/scm-manager.git
synced 2026-01-18 13:32:10 +01:00
8aaa67cd6a
The HgPermissionFilter will now inspect the used mercurial command, of all requests which are using a read method like GET, HEAD, OPTIONS or TRACE and tread every one as write request, expect: - no command was specified with the request (this is required for the hgweb ui) - the command in the query string was found in the list of read commands - if query string contains the batch command, then all commands specified in X-HgArg headers must be in the list of read commands This change is required, in order to fix CVE-2018-1000132 for SCM-Manager.
Plugins moved see https://bitbucket.org/sdorra/scm-manager/wiki/scm-plugins for details.